Wednesday, April 27, 2011

It’s Iteration Time

Recently, I had an interesting problem presented to me today that I was able to solve using a seldom used piece of IDM functionality.

The project I am working on had a requirement to read some information in from Active Directory and write it into IDM, but with a twist,  we only needed to get information from certain OUs, about 30 of them.  With this many, it did not make sense to write a separate pass for each and every OU.  That would be unwieldy and a complete pain to administer you’d have to make a new copy of the pass for each OU to be added or delete the pass if it should be removed, too much room for making a mistake. Now if IDM could somehow iterate through the list, we'd be set!

Instead, one of the talented people on the project built a PowerShell script to create a list of OUs that need to be processed and dumps it to a text file. IDM can execute this script using a Shell execute pass.  When it’s done we take that output and dump it into the database using a From ASCII pass.  Now here’s where the fun comes in…

The next pass is a From LDAP pass as one would expect in a reconciliation process. However we’re going to set it up a little differently by using the “Advanced” button to set up a process by which we can iterate through the OUs that we just moved into the database table from the PowerShell script.

To start, configure the Pass as you usually would, set a repository; populate the login name, password and a starting point using one of the OUs that you will be reconciling from.  When it’s all configured correctly, go to the Destination tab and read in the Source Template, now come back to the Source Tab and hit the “Advanced” button.

Set up your database source and SQL statement as you would in any other task.  When you’re done, it should look something like this:


Note that I use a Constant to hold the database connection string.  It saves some time since I don’t have to keep generating it and provides an easy way to update everything when I move from DEV/TEST to PROD.

Now as you recall, up above we set a Starting Point based on one of the OUs from our list.  Now we’re going to change that.  Go back the LDAP URL configuration and replace the OU with the value from our query.  It will look something like this:


Now you might be wondering, why we can’t determine the Datasource Template with the dynamic configuration, well the simple answer is that you just can’t and if you try you’ll be told that it is not possible to discover the schema from a dynamic starting point. However, if you’ve configured everything correctly, go ahead and run the task.  You’ll see that you have just gathered AD User information from a number of different OUs.  Good work!

No comments: